| IP Conntrack FTP in VE [message #37609] |
Wed, 30 September 2009 15:49  |
ulver
Messages: 12
Registered: July 2008
|
Junior Member |
|
|
Hello everybody,
I'm trying to have ftp access (in passive mode) to a VE protected by iptables.
On a physical server, i can get this working by enabling ip_conntrack & ip_conntrack_ftp but i doesn't work in the VE.
I've already read this :
http://forum.openvz.org/index.php?t=msg&goto=13133&
But it doesn't work for me 
# uname -r
2.6.26-2-openvz-amd64
# cat /etc/debian_version
5.0.2
# grep IPTABLES /etc/vz/vz.conf
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ip_conntrack_ftp ip_conntrack"
# cat /etc/modules
[...]
loop
ip_conntrack
ip_conntrack_ftp
# lsmod | grep connt
nf_conntrack_ftp 12728 0
nf_conntrack_ipv4 24352 16 iptable_nat,nf_nat
nf_conntrack 82688 5 nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state
I manage to connect to the VE by ftp, but the DIR command doesn't work (the port is blocked on the VE by the firewall : the ip conntrack ftp doesn't seem to work ).
If you have any idea...
Thanks in advance 
[Updated on: Wed, 30 September 2009 15:59] Report message to a moderator |
|
|
|
|
|
|
|
| Re: IP Conntrack FTP in VE [message #39131 is a reply to message #39129] |
Thu, 18 March 2010 00:44  |
Erdbeergulasch
Messages: 6
Registered: March 2010
|
Junior Member |
|
|
thx for answer,
this is true, that nf_conntrack_ftp is a alias, but i think it is not loaded into the ct.
yes, the ct was restartet, after manually loading the nf_conntrack_ftp package.
and you can't set in the /etc/vz/vz.conf at the section IPTABLES, the new name of the module (nf_conntrack_ftp), because when i enter nf_conntrack_ftp to this file, than i get the error, Warning: Unknown iptable module: nf_conntrack_ftp, skipped
i think, that the problem is, that openvz thinks, the modules name is ip_conntrack_ftp and so it looks for it, but openvz doesn't find it (because it is a alias and aliases are ignored in openvz) and so it could not be loaded.
I have looked up in the file ip_tables_matches but i haven't found the module ip_conntrack_ftp
root@ct101:/# cat /proc/net/ip_tables_matches
owner
owner
mac
state
helper
conntrack
conntrack
length
ttl
tcpmss
multiport
multiport
limit
tos
tos
dscp
udplite
udp
tcp
icmp
what can i do?
|
|
|
|
|
|
| Re: IP Conntrack FTP in VE [message #39166 is a reply to message #37609] |
Sun, 21 March 2010 11:50 |
ilass
Messages: 3
Registered: March 2010
Location: Ukraine, Kiev
|
Junior Member |
|
|
Confirm.
Using kernel-PAE-2.6.27-kiprensky.1.i686.rpm from official page,
using my distro supplied kernel, my own build using patch-kiprensky.1-combined.gz, i get same result as described. I also tried this on different HW (all x86 platform).
Some info about my system(s)/configs:
Hardware node
# uname -m
i686
# uname -r
2.6.27-kiprensky.1-PAE
# lsmod |egrep '(conn|state)'
xt_state 5896 4
nf_conntrack_ipv4 14104 8 iptable_nat,nf_nat
x_tables 15756 8 ipt_ttl,ipt_REJECT,xt_tcpudp,xt_state,xt_hashlimit,iptable_nat,ip_tables,xt_multiport
nf_conntrack_ftp 11060 0
nf_conntrack 60820 5 xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ftp
# egrep 'IPTABLES' /etc/vz/conf/1003.conf
IPTABLES="ip_tables iptable_filter iptable_nat iptable_mangle ip_conntrack ip_conntrack_ftp ipt_state ipt_multiport ipt_helper"
On hardware node no iptables rules configured in FORWARD chain and tables 'raw', 'mangle', 'nat'.
Please look at module refcount: it 0, but VE started. On 2.6.18 (production) everything is ok and refcount ~ 18. Is this normal?
VE
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 21,80,873 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit
--hashlimit-upto 30/sec --hashlimit-mode dstip --hashlimit-name echo_request -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53
-j ACCEPT
# cat /proc/net/ip_tables_matches
ttl
udplite
udp
tcp
state
hashlimit
hashlimit
icmp
multiport
multiport
# cat /proc/net/ip_tables_names
mangle
filter
Using same rules on HN i get with working ftp in passive/active (production rules mostly identical), also using
# iptables -A FORWARD -m helper --helper ftp -j ACCEPT
on HN, and then connecting to ftp, i see packet count increment for this rule: so nf_conntrack_ftp matches packets. Tcpdump on venet0 also confirms this.
I also try to establish connection from VE to ftp and get same result. Modes tried: passive, active.
|
|
|
|
|
|
| Re: IP Conntrack FTP in VE [message #39384 is a reply to message #39166] |
Tue, 13 April 2010 11:38 |
ilass
Messages: 3
Registered: March 2010
Location: Ukraine, Kiev
|
Junior Member |
|
|
This happens due to missed virtualization code in nf_conntrack_ftp
(and probably others nf_conntrack_h323, nf_conntrack_sip, ..., nf_nat_ftp ...) in comparison with 2.6.18 kernels.
Probably 2.6.32 also affected. Can any one confirm this?
If in output of
$ lsmod | egrep 'nf_conntrack_ftp'
you see nf_conntrack_ftp refcount (Used by) equal to 0 or less than number of VE you run this might indicate problem (testing true server in container is more welcome).
This is true BUG.
I will make detailed report in bugzilla in few days.
[Updated on: Tue, 13 April 2010 11:43] Report message to a moderator |
|
|
|
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
